Cisco Security

Cisco Security

Common Vulnerability Scoring System

Choose the version of CVSS calculator:

Common Vulnerability Scoring System (CVSS) Online Calculator, version
1.0

Vector: AV:R/AC:H/Au:NR/C:P/I:P/A:N/B:N/E:F/RL:O/RC:C/CDP:N/TD:N

This tool is used to calculate a specific threat/vulnerability's CVSS
score. Please select the appropriate options below, click
"Calculate Score," and the CVSS score will be
displayed. Use of this calculator is subject tothe disclaimer below.

Base Parameters

Once discovered, analyzed, and catalogued, there are certain aspects of a vulnerability that do not change, assuming the initial information is complete and correct. These immutable characteristics will not change over time, nor in different environments. The base metric group captures the access to and impact on the target.

Access VectorLocal: The vulnerability is only exploitable locally (i.e. it requires physical access or interactive access to the target system).

Remote: The vulnerability is exploitable remotely.

Access ComplexityHigh: Specialized access conditions exist. For example, the system is exploitable during specific windows of time (a race condition), the system is exploitable under specific circumstances (non-default configurations), or the system is exploitable with victim interaction (vulnerability exploitable only if user opens e-mail).

Low: Specialized access conditions or extenuating circumstances do not exist; the system is always exploitable.

AuthenticationRequired: Authentication is required to access and exploit the vulnerability.

Not Required: Authentication is not required to access or exploit the vulnerability.

Confidentiality ImpactPartial: Considerable informational disclosure. Access to critical system files is possible. There is a loss of important information, but the attacker doesn't have control over what is obtainable or the scope of the loss is constrained. For example, partial would indicate a vulnerability that divulges bits of an encryption key or password hash information.

Complete: A complete loss of system protection resulting in all information being revealed. The attacker has sovereign control to read all of the system's data (memory, files, etc).

Integrity ImpactPartial: Considerable breach in integrity. Modification of system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is constrained. For example, key system or program files may be overwritten or modified, but at random or in a limited context or scope.

Complete: A total compromise of system integrity. There is a complete loss of system protection resulting in the entire system being compromised. The attacker has sovereign control to modify any system files.

Availability ImpactPartial: Considerable lag or interruptions in resource availability. For example, a network-based flood attack that reduces available bandwidth to a web server farm to such an extent that only a small number of connections successfully complete.

Complete: Total shutdown of the affected resource. The attacker can render the resource completely unavailable.

Impact BiasNormal: Confidentiality impact, integrity impact, and availability impact are all assigned the same weight.

Temporal Parameters

As a vulnerability ages, certain intrinsic characteristics will change with time. In many cases, when a vulnerability is first discovered, the number of vulnerable systems will be at or close to its peak, while the availability of exploit and remedial information will be at its lowest point. As time progresses, patch information will become more available and more systems will be fixed as more exploits occur, driving the need for the fix. Eventually, the number of vulnerable systems will reach its low point as remedial information reaches its high point. The CVSS temporal metrics group captures these characteristics of a vulnerability that change over time.

ExploitabilityUnproven: No exploit code is yet available.

Proof of Concept: Proof of concept exploit code is available. The code is not functional in all situations and may require hand tuning in order to get it to work in any situation.

Functional: Functional exploit code is available. The code works in most situations where the vulnerability is exploitable.

High: Exploitable by functional mobile autonomous code. The code works in every situation where the vulnerability is exploitable and is actively being delivered via a mobile autonomous agent (a worm or virus).

Remediation LevelOfficial Fix: Complete vendor solution available.

Temporary Fix: There is an official, temporary fix available.

Workaround: There is an unofficial non-vendor solution available.

Unavailable: There is either no solution available or it is impossible to apply.

Report ConfidenceUnconfirmed: A single unconfirmed source or possibly several conflicting reports. There is little confidence in the validity of the report. For example, a rumor that surfaces from the hacker underground.

Confirmed: Vendor has reported/confirmed a problem with its own product.

Temporal Score:

3.1

Environmental Parameters

Different user environments can have an immense bearing on how (or if) a vulnerability affects a given information system and its stakeholders. The CVSS environmental metrics group captures characteristics of vulnerabilities that are tied to system distribution and network environment.

Collateral Damage PotentialLow: A successful exploit of this vulnerability may result in light property damage or loss. The system itself may be damaged or destroyed.

Medium: A successful exploit of this vulnerability may result in significant property damage or loss.

High: A successful exploit of this vulnerability may result in catastrophic property damage and loss. The range of effect may be over a wide area.

Target DistributionNone: No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. As best as can be determined, no systems currently deployed within the environment depend on target systems for business operations. Effectively 0% of the environment is considered at risk.

Low: Targets exist inside the environment, but on a small scale. Between 1 percent and 15 percent of the total environment is considered at risk.

Medium: Targets exist inside the environment, but on a medium scale. Between 16% - 49% percent of the total environment is considered at risk.

High: Targets exist inside the environment on a considerable scale. Between 50% - 100% percent of the total environment is considered at risk.

Related Links

Cisco endorses and subscribes to the vulnerability guidelines outlined by the National Infrastructure Advisory Council (NIAC). The NIAC commissioned the development of the Common Vulnerability Scoring System (CVSS), which is currently maintained by FIRST (Forum of Incident Response and Security Teams), www.first.org, and was a combined effort involving many companies, including Cisco Systems, Inc.
GENERAL DISCLAIMER AND LIMITATION OF LIABILITY

All information provided by the CVSS Online Calculator is for informational purposes only and is subject to change or withdrawal at any time without notice. The CVSS Online Calculator is a pilot program and Cisco assumes no responsibility for the accuracy or completeness of the information provided and any decision made or action taken or not taken in reliance upon the information provided or furnished hereunder. The information and results provided by the CVSS Online Calculator vary based on the information provided by each user, which is specific to each user's network and cannot be verified or confirmed by Cisco. The CVSS Online Calculator is offered only as a convenience and any use of the results or information provided is at the user's risk.

ALL INFORMATION PROVIDED ON THIS WEB PAGE AND BY THE CVSS ONLINE CALCULATOR IS PROVIDED "AS IS" WITH ALL FAULTS AND WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED. CISCO DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR USE OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. CISCO SHALL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR REVENUES, COSTS OF REPLACEMENT GOODS, LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE CVSS CALCULATOR, DAMAGES RESULTING FROM USE OF OR RELIANCE ON THE CVSS CALCULATOR, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.